A novel phishing technique unveiled this weekend by security researcher Dennis Kniep significantly enhances the effectiveness of device code phishing attacks, automating a process that can bypass even FIDO-based authentication protections.
The new method uses a headless browser to initiate the OAuth 2.0 Device Code Flow as soon as a victim clicks a phishing link, eliminating previous hurdles and timing constraints.
Automated light-speed phishing
Dennis Kniep explained that while device code phishing itself is not new, his approach modernizes the attack by removing the manual steps that victims previously had to complete. Traditionally, attackers would send a device code and URL, relying on the victim to manually enter the code within a tight 10-minute window. Now, a headless browser embedded in the attack infrastructure automates this, entering the generated device code into the legitimate authentication page immediately and redirecting the victim directly to a genuine sign-in screen. This automation means victims interact with the real site they expect, without any unusual URL prompts that might trigger suspicion.
Device code phishing is particularly dangerous because it targets the authentication process on a separate device or session, outside the protections FIDO offers. FIDO, although highly effective against traditional phishing, cannot secure authentication flows that occur out-of-band — such as in device code flows. This gap is not a flaw in the FIDO protocol itself but rather a consequence of how OAuth's device code flow operates. As Kniep points out, any platform implementing device code flow, such as Microsoft Azure Entra, is vulnerable when combined with phishing-resistant methods like FIDO.
Azure Entra, a cloud-based identity and access management platform widely used by enterprises, was used by Kniep to demonstrate this vulnerability. Even with stringent Conditional Access Policies enforcing FIDO-only authentication, attackers can still hijack sessions by exploiting the device code flow. After capturing a valid token, attackers can use tools like GraphRunner or TokenTacticsV2 to access cloud resources, exfiltrate data, and move laterally within an organization's network.
This new automated method builds upon previous real-world attacks observed since mid-2024, where Russian-linked groups like Storm-2372, CozyLarch (APT29), and UTA0304 leveraged manual device code phishing to compromise Microsoft 365 accounts across governmental and private sectors. Those earlier attacks required more social engineering effort, including persuading victims to manually input codes. Kniep's technique lowers the barrier to success, making phishing more seamless and harder to detect.
The Proof-of-Concept (PoC) tool, named DeviceCodePhishing, was made available on Kniep's GitHub repository over the weekend. It supports targeting Microsoft Azure Entra users and includes features like Docker deployment and custom tenant configuration. Though currently focused on Azure Entra, the underlying concept is platform-agnostic and could theoretically apply to any service supporting device code authentication.
Given the severity of this threat, Kniep advises organizations to disable Device Code Flow entirely if possible. For Azure Entra users, this can be enforced through Conditional Access Policies that explicitly block device code authentication grants. Until broader protocol-level protections are implemented, organizations relying solely on phishing-resistant authentication must reassess their exposure to device code phishing risks.
Leave a Reply